CVE-2011-4973 [mod_nss FakeBasicAuth authentication bypass] - libapache2-mod-nss (low; bug #729626) CVE-2011-4972 [CKEditor module for Drupal access bypass] NOT-FOR-US: Drupal module CVE-2011-4970 [Multiple SQL Injection vulnerabilities in Disk Pool Manager (DPM)] - lcgdm 1.8.6-1 (low; bug #702895) CVE-2011-4968 [nginx http proxy module does not verify peer identity of https origin server] - nginx (low; bug #697940) CVE-2011-4967 NOT-FOR-US: OpenPegasus CVE-2011-4958 [silverstripe:XSS] - silverstripe (bug #528461) CVE-2011-4955 NOT-FOR-US: wordpress bsuite plugin CVE-2011-4954 - cobbler (bug #545583) CVE-2011-4953 - cobbler (bug #545583) CVE-2011-4952 - cobbler (bug #545583) CVE-2011-4938 NOT-FOR-US: Ariadne CMS not in Debian CVE-2011-4937 - joomla (bug #571794) CVE-2011-4936 - joomla (bug #571794) CVE-2011-4935 - joomla (bug #571794) CVE-2011-4934 - joomla (bug #571794) CVE-2011-4933 - joomla (bug #571794) CVE-2011-4931 - gpw (unimportant; bug #651510) CVE-2011-4930 - condor (Fixed before initial release) CVE-2011-4924 - zope2.12 2.12.22-1 CVE-2011-4919 [mpack info disclosure] - mpack 1.6-8 (low; bug #655971) CVE-2011-4917 - linux-2.6 (unimportant) CVE-2011-4915 - linux-2.6 (unimportant) CVE-2011-4912 NOT-FOR-US: Joomla CVE-2011-4908 NOT-FOR-US: Joomla CVE-2011-4907 NOT-FOR-US: Joomla CVE-2011-4906 NOT-FOR-US: Joomla CVE-2011-4904 {DSA-2289-1} CVE-2011-4903 {DSA-2289-1} CVE-2011-4902 {DSA-2289-1} CVE-2011-4901 {DSA-2289-1} CVE-2011-4900 {DSA-2289-1} CVE-2011-4632 {DSA-2289-1} CVE-2011-4631 {DSA-2289-1} CVE-2011-4630 {DSA-2289-1} CVE-2011-4629 {DSA-2289-1} CVE-2011-4628 {DSA-2289-1} CVE-2011-4627 {DSA-2289-1} CVE-2011-4626 {DSA-2289-1} CVE-2011-4625 [simplesamlphp xml encryption issues] {DSA-2330-1} CVE-2011-4624 NOT-FOR-US: WordPress flash-album-gallery CVE-2011-4613 [X launcher permission bypass] {DSA-2364-1} CVE-2011-4610 - jbossas4 (Only builds a few libraries, not the full application server) CVE-2011-4600 - libvirt 0.9.9-1 (low) CVE-2011-4595 NOT-FOR-US: WordPress pretty-link plugin CVE-2011-4580 NOT-FOR-US: JBoss Enterprise Portal Platform CVE-2011-4573 NOT-FOR-US: JBoss Operations Network CVE-2011-4558 - tikiwiki CVE-2011-4455 - tikiwiki CVE-2011-4454 - tikiwiki CVE-2011-4407 [apt-add-repository does not perform ssl verification where it *needs* to] - software-properties 0.76.7debian2+nmu2 CVE-2011-4406 - accountsservice 0.6.15-3 CVE-2011-4366 NOT-FOR-US: ** REJECT ** duplicate of CVE-2011-4090 CVE-2011-4365 NOTE: duplicate of CVE-2011-4090 CVE-2011-4350 - yaws 1.91-2 (bug #650009) CVE-2011-4343 NOT-FOR-US: Apache MyFaces CVE-2011-4338 NOT-FOR-US: Arch-Linux specific tool CVE-2011-4336 NOT-FOR-US: Tiki Wiki CVE-2011-4334 NOT-FOR-US: LabWiki CVE-2011-4333 NOT-FOR-US: LabWiki CVE-2011-4327 - openssh (Only affects platforms w/o /dev/random) CVE-2011-4322 NOT-FOR-US: websitebaker CVE-2011-4310 - cmsms (bug #608888) CVE-2011-4195 NOT-FOR-US: Suse kiwi (different from python-kiwi) CVE-2011-4193 NOT-FOR-US: Suse kiwi (different from python-kiwi) CVE-2011-4192 NOT-FOR-US: Suse kiwi (different from python-kiwi) CVE-2011-4121 - ruby1.9.1 (Only affected trunk versions) CVE-2011-4120 [authentication bypass by pressing ctrl-d] - yubico-pam 2.10-1 CVE-2011-4117 NOT-FOR-US: perl Batch::BatchRun CPAN module CVE-2011-4116 - perl (unimportant) CVE-2011-4115 - libparallel-forkmanager-perl (issue introduced in 0.7.6 upstream, never in Debian) CVE-2011-4111 - qemu 0.15.1+dfsg-2 CVE-2011-4104 - django-tastypie 0.9.10-1 (bug #647314) CVE-2011-4103 [YAML deserialization vulnerability in Piston framework] {DSA-2344-1} CVE-2011-4099 - libcap2 1:2.22-1 (low) CVE-2011-4095 NOT-FOR-US: Jara CVE-2011-4094 NOT-FOR-US: Jara CVE-2011-4093 - net6 1:1.3.14-1 (low; bug #647318) CVE-2011-4092 - obby (low; bug #647317) CVE-2011-4091 [squeeze] - net6 (Minor issue) CVE-2011-4090 [serendipity before 1.6 backend XSS in karma plugin] - serendipity (bug #650937) CVE-2011-4089 - bzip2 1.0.6-1 (low; bug #632862) CVE-2011-4088 NOT-FOR-US: abrt/libreport CVE-2011-4083 NOT-FOR-US: RedHat sos CVE-2011-4082 - phpldapadmin 0.9.8-1 CVE-2011-3923 - libstruts1.2-java (Only affects 2.x) CVE-2011-3642 [flowplayer-core: Arbitrary plugins with remote code execution (XSS)] - mahara (low; bug #699230) CVE-2011-3634 - apt 0.8.11 (low) CVE-2011-3632 [hardlink has buffer overflows, is unsafe on changing trees] - hardlink (Only the C version, ours are written in Python) CVE-2011-3631 [hardlink has buffer overflows, is unsafe on changing trees] - hardlink (Only the C version, ours are written in Python) CVE-2011-3630 [hardlink has buffer overflows, is unsafe on changing trees] - hardlink (Only the C version, ours are written in Python) CVE-2011-3629 NOT-FOR-US: Joomla CVE-2011-3628 - pam 1.1.3-7 (low; bug #670076) CVE-2011-3625 [mplayer SAMI subtitle parsing buffer overflow] - mplayer 2:1.0~rc4.dfsg1+svn33713-2 (bug #645987) CVE-2011-3624 - ruby1.8 (low; bug #646020) CVE-2011-3623 [media-video/vlc-1.0.2: Multiple stack-based buffer overflows in ASF, AVI, MP4 demuxers] - vlc 1.1.3-1 CVE-2011-3622 NOT-FOR-US: phorum CVE-2011-3621 NOT-FOR-US: fluxbb CVE-2011-3618 [atop insecure tempfile handling] - atop 1.23-1.1 (low; bug #622794) CVE-2011-3617 [tahoe-lafs: an unauthorized user can delete files] - tahoe-lafs 1.8.3-1 (bug #641540) CVE-2011-3614 [vanilla plugin access control] NOT-FOR-US: Vanilla Forums CVE-2011-3613 [vanilla forums cookie theft] NOT-FOR-US: Vanilla Forums CVE-2011-3612 [HTB22913: Multiple CSRF in UseBB] NOT-FOR-US: UseBB CVE-2011-3611 [HTB22914: Local File Inclusion in UseBB] NOT-FOR-US: UseBB CVE-2011-3610 [serendipity freetag plugin before 3.30 and probably others] NOT-FOR-US: Serendipity plugin CVE-2011-3609 [CSRF in the JBoss AS 7 administration console & HTTP management API] - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2011-3606 [DOM based XSS in the JBoss AS 7 administration console] - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2011-3605 {DSA-2323-1} CVE-2011-3604 {DSA-2323-1} CVE-2011-3603 NOTE: http://seclists.org/oss-sec/2011/q4/30 CVE-2011-3602 {DSA-2323-1} CVE-2011-3601 {DSA-2323-1} CVE-2011-3600 - libxmlrpc3-java 3.1.3-1 (low) CVE-2011-3596 - polipo 1.0.4.1-1.2 (bug #644289) CVE-2011-3595 - joomla (bug #571794) CVE-2011-3592 [phpMyAdmin did not properly sanitize the content of db, table, and column names prior use of their values.] - phpmyadmin 4:3.4.5-1 CVE-2011-3591 [PMASA-2011-14 XSS] - phpmyadmin 4:3.4.5-1 CVE-2011-3590 [mkdumprd utility created the final initial ramdisk image with...] - kexec-tools (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora) CVE-2011-3589 [mkdumprd utility copied content of certain directories into newly...] - kexec-tools (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora) CVE-2011-3588 [kdump/mkdumprd: the default value of "StrictHostKeyChecking=no"] - kexec-tools (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora) CVE-2011-3586 NOTE: Dupe of CVE-2011-3504, to be rejected CVE-2011-3585 - samba 2:3.4.7~dfsg-2 (low) CVE-2011-3584 [TYPO3-SA-2011-003] - typo3-src 4.5.6+dfsg1-1 (low; bug #641683) CVE-2011-3583 [TYPO3-SA-2011-002] - typo3-src 4.5.6+dfsg1-1 (low; bug #641682) CVE-2011-3582 NOT-FOR-US: Advanced Electron Forums CVE-2011-3350 [masqmail improper privilege dropping] - masqmail 0.2.30-1 (low; bug #638002) CVE-2011-3377 [IcedTea browser plugin Same Origin Policy suffix issue] {DSA-2420-1} CVE-2011-3374 [apt-key insecure validation] - apt (unimportant; bug #642480) CVE-2011-3373 NOT-FOR-US: Views Bulk Operations module for Drupal CVE-2011-3370 - statusnet (bug #491723) CVE-2011-3355 - evolution-data-server3 3.2.1-1 (bug #641052) CVE-2011-3352 NOT-FOR-US: Zikula CVE-2011-3351 - openvas-scanner (bug #641327; low) CVE-2011-3349 [lightdm denial of service] - lightdm 0.9.6-1 (bug #639151) CVE-2011-3346 - qemu-kvm 0.15.1+dfsg-1 (bug #646118) CVE-2011-3344 NOT-FOR-US: Red Hat Network Satellite server CVE-2011-3203 [Jcow CMS 4.x:4.2 <= , 5.x:5.2 <= | Arbitrary Code Execution] NOT-FOR-US: Jcow CVE-2011-3202 [Jcow CMS 4.2 <= | Cross Site Scripting] NOT-FOR-US: Jcow CVE-2011-3199 {DSA-2365-1} CVE-2011-3198 {DSA-2365-1} CVE-2011-3197 {DSA-2365-1} CVE-2011-3196 {DSA-2365-1} CVE-2011-3195 {DSA-2365-1} CVE-2011-3183 NOT-FOR-US: Concrete CMS CVE-2011-3180 NOT-FOR-US: Suse kiwi (different from python-kiwi) CVE-2011-3154 - update-manager (ubuntu-specific issue) CVE-2011-3153 - lightdm 1.0.6-2 CVE-2011-3152 - update-manager (ubuntu-specific issue) CVE-2011-3145 {DSA-2382-1} CVE-2011-2941 NOT-FOR-US: JBoss Enterprise Portal Platform CVE-2011-2936 - elgg (bug #526197) CVE-2011-2935 - elgg (bug #526197) CVE-2011-2934 NOT-FOR-US: WebsiteBaker CVE-2011-2933 NOT-FOR-US: WebsiteBaker CVE-2011-2927 NOT-FOR-US: Red Hat Network Satellite server CVE-2011-2924 - foomatic-filters 4.0.12-1 (low) CVE-2011-2923 - foomatic-filters (unimportant) CVE-2011-2922 - ktsuss CVE-2011-2921 - ktsuss CVE-2011-2920 NOT-FOR-US: Red Hat Network Satellite server CVE-2011-2919 NOT-FOR-US: Red Hat Network Satellite server CVE-2011-2916 - qtnx (low; bug #637439) CVE-2011-2910 - ax25-tools 0.0.8-13.2 (low; bug #638198) CVE-2011-2909 {DSA-2303-1} CVE-2011-2902 [xpdf: insecure tempfile usage] - xpdf 3.02-19 (low; bug #635849) CVE-2011-2897 - gdk-pixbuf (This only applies to the old standalone copy shipped until Lenny) CVE-2011-2765 [pyro: insecure use of temporary pid file] - pyro 1:3.14-1 (low; bug #631912) CVE-2011-2727 NOT-FOR-US: Tribiq CMS CVE-2011-2726 [SA-CORE-2011-003] - drupal7 7.6-1 CVE-2011-2725 [ark directory traversal] - kdeutils 4:4.6.5-4 (low; bug #635541) CVE-2011-2717 NOT-FOR-US: udhcp6c CVE-2011-2715 NOT-FOR-US: Drupal data module CVE-2011-2714 NOT-FOR-US: Drupal data module CVE-2011-2706 NOT-FOR-US: sNews CVE-2011-2702 [eglibc signedness vulnerability in ssse3 optimizations] - eglibc 2.13-10 CVE-2011-2684 - foo2zjs 20110722dfsg-1 (low; bug #633870) CVE-2011-2683 - reseed CVE-2011-2538 - plone3 CVE-2011-2523 - vsftpd (backdoored version was never in the Debian archive) CVE-2011-2515 - packagekit 0.6.17-1 CVE-2011-2514 - openjdk-6 6b21~pre1-1 CVE-2011-2513 - openjdk-6 6b21~pre1-1 CVE-2011-2500 - nfs-utils 1:1.2.4-1 (bug #633155) CVE-2011-2499 NOT-FOR-US: Mambo CMS CVE-2011-2498 - linux-2.6 2.6.39-1 (low) CVE-2011-2487 NOT-FOR-US: Apache CXF CVE-2011-2480 [kfreebsd info disclosure] - kfreebsd-9 9.0~svn223502-1 (bug #631160) CVE-2011-2207 - dirmngr (unimportant; bug #627377) CVE-2011-2187 - xscreensaver 5.14-1 (bug #627382) CVE-2011-2186 NOTE: Disputed gitweb non-issue: https://bugzilla.redhat.com/show_bug.cgi?id=713298 CVE-2011-2177 - libreoffice CVE-2011-2198 [vte memory exhaustion] - vte 1:0.28.1-1 (low; bug #629688) CVE-2011-2054 NOT-FOR-US: ** REJECT ** CVE-2011-2054 misused as CVE-2011-2524 CVE-2011-1939 - zendframework 1.11.6-1 (low) CVE-2011-1935 [packet truncation in libpcap] - libpcap 1.1.1-4 (low; bug #623868) CVE-2011-1934 [lilo: lilo.conf world-readable] - lilo 23.1-2 (low; bug #615103) CVE-2011-1933 - libjifty-dbi-perl 0.68-1 (low; bug #622919) CVE-2011-1930 - klibc 1.5.22-1 (low) CVE-2011-1837 {DSA-2382-1} CVE-2011-1836 - ecryptfs-utils 92-1 CVE-2011-1835 {DSA-2382-1} CVE-2011-1834 {DSA-2382-1} CVE-2011-1832 {DSA-2382-1} CVE-2011-1831 {DSA-2382-1} CVE-2011-1798 - chromium-browser 11.0.696.65~r84435-1 CVE-2011-1796 - chromium-browser 11.0.696.65~r84435-1 CVE-2011-1795 - chromium-browser 11.0.696.65~r84435-1 CVE-2011-1794 - chromium-browser 11.0.696.65~r84435-1 CVE-2011-1793 - chromium-browser 11.0.696.65~r84435-1 CVE-2011-1773 NOT-FOR-US: virt-v2v CVE-2011-1749 [nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE] - nfs-utils 1:1.2.3-3 (low; bug #629420) CVE-2011-1597 NOT-FOR-US: OpenVAS Manager CVE-2011-1596 NOT-FOR-US: ** REJECT ** (regular bug in gnome-screensaver-dialog) CVE-2011-1594 NOT-FOR-US: Red Hat Network Satellite server CVE-2011-1588 - thunar (Introduced in 1.2, only in experimental) CVE-2011-1490 - rsyslog 5.7.6-1 (low) CVE-2011-1489 - rsyslog 5.7.6-1 (low) CVE-2011-1488 - rsyslog 5.7.6-1 (low) CVE-2011-1474 NOT-FOR-US: PaX hardening patch CVE-2011-1408 [ikiwiki tty hijacking vulnerability] - ikiwiki 3.20110608 (low) CVE-2011-1151 NOT-FOR-US: Joomla! CVE-2011-1150 NOT-FOR-US: bbPress CVE-2011-1145 [buffer overflow in unixODBC's SQLDriverConnect()] - unixodbc 2.2.14p2-3 (low; bug #617655) CVE-2011-1086 NOT-FOR-US: openfiler CVE-2011-1085 NOT-FOR-US: smoothwall CVE-2011-1084 NOT-FOR-US: smoothwall CVE-2011-1070 - v86d 0.1.10-1 (low; bug #619404) CVE-2011-1069 NOT-FOR-US: PHPShop CVE-2011-1028 - smarty3 3.0.8-1 CVE-2011-1009 NOT-FOR-US: Vanilla Forums CVE-2011-1133 [xinha XSS mode param] - serendipity (bug #611661) CVE-2011-1134 [xinha XSS image manager] - serendipity (bug #611661) CVE-2011-1135 [xinha multiple vulns] - serendipity (bug #611661) CVE-2011-1136 [tesseract tempfile] - tesseract 2.04-2.1 (low; bug #612032) CVE-2011-0705 [path traversal in SimpleHTTPServer] NOTE: Will be rejected CVE-2011-0704 NOT-FOR-US: 389 Directory Server CVE-2011-0703 - gksu-polkit (bug #684489) CVE-2011-0699 - linux-2.6 2.6.37-2 CVE-2011-0544 - phpbb3 3.0.7-PL1-5 (low; bug #612477) CVE-2011-0529 - weborf 0.12.5-1 CVE-2011-0528 - puppet 2.6.2-3 CVE-2011-0525 NOT-FOR-US: Batavi CVE-2011-0460 - kbd (SUSE-specific) CVE-2011-0428 - ikiwiki 3.20110122 CVE-2011-0068 - xulrunner (Only affects Firefox 4.0, not yet in unstable)